Splunk Search
Highlighted

Calculate traffic split based on URI prefix

Explorer

Hi,

The traffic in our application is routed according to a URI prefix, for example: uri_path=/foo/* or uri_path=/bar/*. How can I produce a pie chart that simply shows the percentage of traffic that went to each uri_path?

0 Karma
Highlighted

Re: Calculate traffic split based on URI prefix

SplunkTrust
SplunkTrust

If this field is extracted try this.

your base search | stats count by uripath
or
your base search | chart count by uri
path

and use pie chart as visualisation.

0 Karma
Highlighted

Re: Calculate traffic split based on URI prefix

Explorer

Thanks, but uripath contains numerous values. I need the grouping by uripath prefix.

0 Karma
Highlighted

Re: Calculate traffic split based on URI prefix

SplunkTrust
SplunkTrust

Then (based on your example, your just need first part of uri, '/foo' and '/bar'), try this.

your base search| rex field=uripath "^(?<uriprefix>.*)\/"| stats count by uri_prefix

Highlighted

Re: Calculate traffic split based on URI prefix

Explorer

I don't think that does what I need. I'm expecting two figures: one for all uripaths that start with /foo and another for all uripaths that start with /bar.

0 Karma
Highlighted

Re: Calculate traffic split based on URI prefix

SplunkTrust
SplunkTrust

With the search "your base search| rex field=uripath "^(?<uriprefix>.*)/"", what values you're getting in the field uri_prefix?

0 Karma
Highlighted

Re: Calculate traffic split based on URI prefix

Explorer

I get > 100 different values for the uri_prefix field. Lots of different URLs that start with /foo or /bar.

0 Karma
Highlighted

Re: Calculate traffic split based on URI prefix

SplunkTrust
SplunkTrust

It seems slashes were removed in the comment field. try this.

your base search| rex field=uripath "^/(?<uriprefix>[^/]*)"| stats count by uri_prefix

0 Karma
Highlighted

Re: Calculate traffic split based on URI prefix

Explorer

Thanks, but it still gives 100s of different values for uri_prefix instead of the two I want.

0 Karma
Highlighted

Re: Calculate traffic split based on URI prefix

SplunkTrust
SplunkTrust

Try the updated search '| rex field=uripath "^/(?<uriprefix>[^/]*)"'. This gives 'bar' and 'foo' from the uri.

0 Karma